how to publish result of a Lambda Function to a cross-account Kinesis Stream

Question

Say I have two accounts 111111111111 and 222222222222 and want to do following.

  (Lambda)   ->  (Kinesis)
111111111111     222222222222

Where Lambda function is a trigger for a data source (could be another Kinesis stream in 111111111111).

exports.handler = async (event, context) => {

  // data transformed here
  const result = event.records.map(record => {});

  return {data: result};
}

I am trying to format the data in 111111111111's Lambda Function and then send it to 22222222222's Kinesis stream, but I couldn't find many resources on this.

I came across this SO post. IAM role aside, it seems like each invocation of the Lambda Function needs to create a session with 22222222222 account and creates a Kinesis instance in order to call PutRecord. This looks like a red flag to me as I was thinking Lambda function could just set up a cross-account destination with resourceArn to send its result data to. What am I missing and is there better alternate to doing this?

Answer 1

This looks like a red flag to me as I was thinking Lambda function could just set up a cross-account destination with resourceArn to send its result data to.

This is not a red flag. The cross-account IAM roles is how it is done for kinesis, because kinesis streams don't have resource-based policies. So you have to assume IAM role from account 2, in your lambda.

I'm not sure which resourceArn are you referring to. The only one I can think of is resourceArn for Kinesis Data Analytics. This does not apply to Kinesis Data Streams.